Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Researchers: Hola Fixes Incomplete

Researchers who discovered a half-dozen vulnerabilities in the free Hola VPN said today that fixes rolled out by Hola do not address the security issues they identified.

Hola, a popular, free, peer-to-peer service that enables anonymous surfing and access to blocked online resources, said today it has patched vulnerabilities discovered last week that expose its millions of users to possible code execution, remote monitoring and other threats to privacy and security.

The researchers who last week disclosed vulnerabilities in the Hola Unblocker Windows client, Firefox and Chrome extensions, and the Hola Android app, however today said that the flaws are still present and that all Hola did was break a vulnerability checker proof-of-concept tool developed by the researchers.

The flaws, the researchers said, turn Hola into a “poorly secured botnet—with serious consequences,” they said on the Adios, Hola! website. They add that a half-dozen security issues were identified, not two as claimed by Hola.

“Hola also claims that ‘[vulnerabilities happen] to everyone.’ As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence,” the researchers said. “They are not comparable to the others mentioned—they are much worse.”

In an advisory, the researchers describe the vulnerabilities that expose users to information disclosure, local file read, and remote code execution.

“As Hola users—wittingly, or otherwise–act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks,” the advisory said.

Hola CEO Ofer Vilenski conceded today in a blogpost to mistakes he attributed to his company’s rapid growth. He called the accusations “unjustified” that Hola sells Luminati access to its network for $20 per GB and does a shoddy job screening those paying for access and what they’re doing. Chat logs published on adios-hola.org between the researchers and a Hola salesperson allege that the salesperson said certain potentially harmful terms of service are not enforced. “We have no idea what you are doing on our platform,” adios-hola quotes the unnamed salesperson.

Being a free peer-to-peer network, Hola shares its users’ bandwidth with the network, and Vilenski said the company has changed its website and product “installation flows” to make that clear. Users who do not want to share idled resources can pay for Hola Premium. Vilenski also said Hola does not make its users part of a botnet.

“There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation),” Vilenski wrote. “The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.”

Last week, a distributed denial of service attack against the message board website 8chan, however, did take advantage of the Hola network. The DDoS was tracked back to Luminati, and today Vilenski admitted the hacker passed through the company’s filters.

Discussion

Honestly, you get what you pay for. I used Hola for a short period of time when I first subscribed to netflix, but I've looked to paid alternatives now. Do your research there are plenty of cheap alternatives that won't result in your PC getting hijacked by botnets. There are a couple of review sites that will help you find the right one http://reviewmyvpn.com/nordvpn-review/

Just last night, I did a Google search and got a weird page with a Capcha. For hours. Today I used a clean pc and found out why I got the weird Google page; Hola. I reloaded Firefox, and can't find Hola in any searches now. Got it from trying to install a DVD player from c/net; I always thought pretty much any link there would be safe. Guess not. Webroot did not catch Hola and neither did a full safety scan from Microsoft.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.